Install ESMC di Centos 7.x

You are here:

# Instalasi ESET Security Management Center – CentOS 7.x

# Tambahkan repo EPEL
yum install epel-release

# Tambahkan repository MySQL 5.7
rpm -Uvh http://dev.mysql.com/get/mysql57-community-release-el7-7.noarch.rpm

# Update OS
yum update

# Install Dependencies CentOS 7.x
yum install -y wget lshw mysql-community-server mysql-connector-odbc xorg-x11-server-Xvfb cifs-utils krb5-workstation samba samba-winbind-clients openldap-clients net-snmp-utils net-snmp policycoreutils-devel java-1.8.0-openjdk tomcat qt4-webkit links yum-plugin-versionlock httpd setroubleshoot-server mod_ssl cyrus-sasl-gssapi cyrus-sasl-ldap

# Edit Konfigurasi apache
vi /etc/httpd/conf/httpd.conf


# Edit pada bagian listen
Listen 3128

# Ubah Konfigurasi di httpd.conf
# Dari
IncludeOptional conf.d/*.conf

# Diubah menjadi

# Caching proxy
IncludeOptional conf.d/proxy.conf

# Buat konfigurasi baru untuk proxy
vi /etc/httpd/conf.d/proxy.conf

# Masukkan Konfigurasi Berikut

##################################################################
############### Konfigurasi HTTP Proxy ESET ####################

#
# Enable HTTP Cache
#
CacheEnable disk http://
CacheDirLevels 4
CacheDirLength 2
CacheDefaultExpire 3600
CacheMaxFileSize 200000000
CacheMaxExpire 604800
CacheQuickHandler Off
CacheRoot /var/cache/httpd/proxy

AllowCONNECT 443 563 2222

#ProxyRemote * http://user_proxy:password_proxy@IPSERVERPROXY:3128

ProxyRequests On
ProxyVia On

CacheLock on
CacheLockMaxAge 10
ProxyTimeOut 900

SetEnv proxy-initial-not-pooled 1

ErrorLog “|/usr/sbin/rotatelogs -n 10 /var/log/httpd/error_log 1M”

<VirtualHost *:3128>
ProxyRequests On
</VirtualHost>

<VirtualHost *:3128>
ServerName r.edtd.eset.com

<If “%{REQUEST_METHOD} == ‘CONNECT'”>
Require all denied
</If>

ProxyRequests Off
CacheEnable disk /
SSLProxyEngine On

RequestHeader set Front-End-Https “On”
ProxyPass / https://r.edtd.eset.com/ timeout=300 keepalive=On ttl=100 max=10 smax=10
ProxyPassReverse / http://r.edtd.eset.com/ keepalive=On
</VirtualHost>

<Proxy *>
Deny from all
</Proxy>
#*.eset.com:
<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?([a-zA-Z0-9-]{0,63}\.)?[a-zA-Z0-9-]{0,63}\.[e,E][s,S][e,E][t,T]\.[c,C][o,O][m,M](:[0-9]+)?(/.*)?$>
Allow from all
</ProxyMatch>
#*.eset.eu:
<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?([a-zA-Z0-9-]{0,63}\.)?[a-zA-Z0-9-]{0,63}\.[e,E][s,S][e,E][t,T]\.[e,E][u,U](:[0-9]+)?(/.*)?$>
Allow from all
</ProxyMatch>
#*.eset.systems:
<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?([a-zA-Z0-9-]{0,63}\.)?[a-zA-Z0-9-]{0,63}\.[e,E][s,S][e,E][t,T]\.[s,S][y,Y][s,S][t,T][e,E][m,M][s,S](:[0-9]+)?(/.*)?$>
Allow from all
</ProxyMatch>
#Antispam module (ESET Mail Security only):
<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?(ds1-uk-rules-1.mailshell.net|ds1-uk-rules-2.mailshell.net|ds1-uk-rules-3.mailshell.net|fh-uk11.mailshell.net)(:[0-9]+)?(/.*)?$>
Allow from all
</ProxyMatch>
#Services (activation)
<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?(edf-pcs.cloudapp.net|edf-pcs2.cloudapp.net|edfpcs.trafficmanager.net)(:[0-9]+)?(/.*)?$>
Allow from all
</ProxyMatch>
#ESET servers accessed directly via IP address:
<ProxyMatch ^([h,H][t,T][t,T][p,P][s,S]?://)?([^@/]*@)?(91.228.165.|91.228.166.|91.228.167.|38.90.226.)([0-9]+)(:[0-9]+)?(/.*)?$>
Allow from all
</ProxyMatch>

#Microsoft trusted roots distribution
<ProxyMatch (?i)^http:\/\/www.download.windowsupdate.com\/msdownload\/update\/v3\/static\/trustedr\/.*\/.*?$>
Allow from all
</ProxyMatch>
#Microsoft pki (crt and crl)
<ProxyMatch (?i)^http:\/\/.*\.microsoft\.com\/pki\/.*$>
Allow from all
</ProxyMatch>
# MS Network Connectivity Status Indicator https://technet.microsoft.com/en-us/library/cc766017(v=ws.10).aspx
<ProxyMatch (?i)^http://www.msftncsi.com/ncsi.txt$>
Allow from all
</ProxyMatch>
#Symantec/thawte ocsp/crl
<ProxyMatch (?i)^http:\/\/.*\.symcd\.com\/.*$>
Allow from all
</ProxyMatch>
#Symantec ocsp
<ProxyMatch (?i)^http:\/\/ocsp\.verisign\.com\/.*?$>
Allow from all
</ProxyMatch>

#Allow connection to my ESMC Server machine jika hostname dan IP
#<ProxyMatch ^(hostname\.example(:[0-9]+)?(\/.*)?|10\.1\.1\.123(:[0-9]+)?(\/.*)?)$>
#Allow from all
#</ProxyMatch>

#Allow connection to my ESMC Server machine jika FQDN atau hostname
#<ProxyMatch ^(console\.awanpintar(:[0-9]+)?(\/.*)?)$>
#Allow from all
#</ProxyMatch>

#Allow connection to my ESMC Server machine jika IP, dalam contoh adalah IP ESMC adalah 10.1.1.123
#<ProxyMatch ^(10\.1\.1\.123(:[0-9]+)?(\/.*)?)$>
#Allow from all
#</ProxyMatch>

################### End Of Configuration #########################
##################################################################

# Add port 3128 di selinux apache
semanage port -m -t http_port_t -p tcp 3128

# Open Port Firewall(silakan skip jika tidak terinstall)
firewall-cmd –zone=public –add-port=3128/tcp –permanent


# Set Cache Directory di Selinux (optional)
semanage fcontext -a -t httpd_cache_t “/var/cache/httpd(/.*)?”

# Apply selinux directory (optional)
restorecon -Rv /var/cache/httpd

# Set Agar Apache bisa konek ke Proxy internal
setsebool -P httpd_can_network_connect 1

atau

setsebool -P httpd_can_network_connect true

# Buat service htcacheclean
mkdir -p /etc/systemd/system/httpd.service.requires
ln -s /usr/lib/systemd/system/htcacheclean.service /etc/systemd/system/httpd.service.requires

# Edit parameter htcacheclean
vi /etc/sysconfig/htcacheclean

# Tambahkan parameter berikut
INTERVAL=60
CACHE_ROOT=/var/cache/httpd/proxy
LIMIT=5000M
OPTIONS=-t -i -n L12000

# Enable startup Apache
systemctl enable httpd

# Restart apache service
systemctl restart httpd

# Check yang telah di cache Apache Proxy
/usr/sbin/htcacheclean -a -p /var/cache/httpd/proxy/

# Test proxy
wget www.google.com -e use_proxy=yes -e http_proxy=MyDearERAServer:3128

# Jika Error

— http://www.google.com/

=> ‘index.html’

Connecting to YourDearERAServer:3128… connected.

Proxy request sent, awaiting response… 403 Forbidden

15:05:34 ERROR 403: Forbidden.

# Maka proxy telah jalan

# Downgrade ODBC ke versi 5.3.10
yum downgrade mysql-connector-odbc-5.3.10

# Lock Mysql Component agar tidak upgrade
yum versionlock mysql-*

# Start MySQL
systemctl start mysqld

# Ambil random root password
grep ‘A temporary password is generated for root@localhost’ /var/log/mysqld.log |tail -1

# Buat password MySQL
mysql_secure_installation

# Edit Konfigurasi MySQL
vi /etc/my.cnf

# Tambahkan di bawah [mysqld] dengan konfigurasi berikut

# ESET Requirement
max_allowed_packet = 500M
innodb_log_file_size = 100M
innodb_log_files_in_group = 4

# Restart MySQL
systemctl restart mysqld

## Set MySQL agar start saat OS Restart
systemctl enable mysqld

# Kopi file ESMC Console
cp era.war /var/lib/tomcat/webapps/

# Restart Service Tomcat
systemctl restart tomcat

# Set Tomcat agar start saat OS Restart
systemctl enable tomcat

# Download package server-linux, Agent-linux, RDSensor-Linux Di sini
https://www.eset.com/int/business/security-management-center/download/#standalone

# Ubah permission installer agar bisa di install
chmod +x Server-Linux-x86_64.sh
chmod +x Agent-Linux-x86_64.sh
chmod +x MDMCore-Linux-x86_64.sh
chmod +x RDSensor-Linux-x86_64.sh


# Install ESMC Server (sesuaikan dengan password mysql, password yang akan dipakai login ESMC)
./Server-Linux-x86_64.sh –skip-license –db-driver=”MySQL ODBC 5.3 Unicode Driver” –db-hostname=127.0.0.1 –db-port=3306 –db-admin-username=root –db-admin-password=mysqlpassword –server-root-password=”Passwordlogin” –db-user-username=root –db-user-password=mysqlpassword –cert-hostname=”*” –enable-imp-program

# Coba Akses ESMC Webconsole
http://IP_ADDRES_ATAU_HOSTNAME:8080/era

# Backup Certificate
#https://help.eset.com/esmc_admin/70/en-US/export_a_public_key.html
#https://help.eset.com/esmc_admin/70/en-US/export_a_public_key.html?export_certificate.html

# Install Agent (sesuaikan dengan password login ESMC yang telah dibuat Sebelumnya)
./Agent-Linux-x86_64.sh –skip-license –hostname=localhost –port=2222 –webconsole-hostname=localhost –webconsole-port=2223 –webconsole-user=administrator –webconsole-password=”passwordlogin” –cert-auto-confirm –enable-imp-program

# Install RDSensor
./RDSensor-Linux-x86_64.sh –skip-license

# Open Port Firewall(silakan skip jika tidak terinstall)
firewall-cmd –zone=public –add-port=2222/tcp –permanent
firewall-cmd –zone=public –add-port=2223/tcp –permanent
firewall-cmd –zone=public –add-port=8080/tcp –permanent
firewall-cmd –zone=public –add-port=139/tcp –permanent
firewall-cmd –zone=public –add-port=445/tcp –permanent
firewall-cmd –zone=public –add-port=137/udp –permanent
firewall-cmd –zone=public –add-port=138/udp –permanent
firewall-cmd –zone=public –add-port=1237/udp –permanent
firewall-cmd –zone=public –add-port=1238/udp –permanent

# Jika Spesifik
firewall-cmd –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.0/24″ port port=”8080″
protocol=”tcp” accept’ –permanent
firewall-cmd –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.0/24″ port port=”3128″
protocol=”tcp” accept’ –permanent
firewall-cmd –add-rich-rule=’rule family=”ipv4″ source address=”192.168.2.0/24″ port port=”2222″
protocol=”tcp” accept’ –permanent
firewall-cmd –add-rich-rule=’rule family=”ipv4″ source address=”192.168.2.0/24″ port port=”2223″
protocol=”tcp” accept’ –permanent

# Enable startup firewall
systemctl enable firewalld

#Install OPTIONAL Jika lisensi Minimal EEPS/EEPA

#Bahan yang diperlukan
#- export certificate agent dari ESMC
#- buat certificate mdm baru di ESMC lalu export dalam bentuk pfx

# Install MDM (pastikan mdm hostnamenya FQDN yang sifatnya public, untuk mysql password dan console password disamakan dengan ESMC yang telah dibuat sebelumnya)
./MDMCore-Linux-x86_64.sh –https-cert-path=PATH_Certificate_MDM_ESMC –port=2222 –db-type=”MySQL” –db-driver=”MySQL ODBC 5.3 Unicode Driver” –db-admin-username=”root” –db-admin-password=PASSWORD_MYSQL –db-user-password=PASSWORD_MYSQL –db-hostname=”127.0.0.1″ –hostname=IP_ESMC –webconsole-password=PASSWORD_LOGIN_WEB_ESMC –cert-auto-confirm –mdm-hostname=FQDN_MDM –skip-license –enable-imp-program

#Jika Upgrade dari versi sebelumnya
./MDMCore-Linux-x86_64.sh –hostname=IP_ESMC –webconsole-password=PASSWORD_LOGIN_WEB_ESMC –mdm-hostname=FQDN_MDM –https-cert-path=PATH_Certificate_MDM_ESMC –skip-license –enable-imp-program

# Open Port Firewall(silakan skip jika tidak terinstall)
firewall-cmd –zone=public –add-port=9977/tcp –permanent
firewall-cmd –zone=public –add-port=9978/tcp –permanent
firewall-cmd –zone=public –add-port=9980/tcp –permanent
firewall-cmd –zone=public –add-port=9981/tcp –permanent
firewall-cmd –zone=public –add-port=9981/tcp –permanent
firewall-cmd –zone=public –add-port=5223/tcp –permanent
firewall-cmd –zone=public –add-port=2195/tcp –permanent
firewall-cmd –zone=public –add-port=2196/tcp –permanent

# Tes Mobile Device Connector
https://IP_ADDRESS_ATAU_HOSTNAME:9980/

#Info lebih lengkap
http://kb.eset.co.id
https://help.eset.com/esmc_install/70/en-US/
https://support.eset.com/

Tags: